A purpose-built memory system for threat intelligence teams that keeps investigation context in house when analysts leave. It parses threat reports to extract CVEs, IOCs, ATT&CK techniques, and threat actors, then builds a STIX 2.1 knowledge graph with automatic alias resolution so APT28, Fancy Bear, and Sofacy collapse to the same node. The MCP server exposes remember and recall operations to Claude, letting you store intel snippets and retrieve them later via blended vector and graph search. Runs entirely offline with local embeddings and optional local LLM inference. Useful if you're building analyst copilots or agentic workflows that need to reason over past investigations, Sigma rules, or YARA patterns without sending data to external APIs. Storage is SQLite and LanceDB on disk.
claude mcp add --transport stdio rolandpg-zettelforge uvx zettelforge